Focus Mode
Threat Research

Caution: Malware on Fake WinRar Websites Hosted on GitHub

SonicWall

“`html
Short Summary:

A fake website mimicking the official WinRar site has been identified as a host for various malware, including ransomware, cryptominers, and infostealers. The site uses typosquatting to deceive users and leads them to download malicious components hosted on GitHub. The malware infection cycle begins with a shell script that sends system information to a Telegram account.

Key Points:

  • The fake website URL is win-rar.co, closely resembling the official win-rar.com.
  • Users may be misled into visiting the fake site due to URL typos.
  • The site hosts a malicious shell script named zx.ps1.
  • Malicious components include ransomware, cryptominers, and infostealers.
  • All scripts begin by sending system information to a Telegram account.
  • SonicWall provides protection against this threat through various detection methods.
  • Users are advised to only download software from official and reputable sources.

MITRE ATT&CK TTPs – created by AI

  • Initial Access (T1071.001) – Application Layer Protocol:
    • Using a fake website to lure users into downloading malware.
  • Execution (T1059.001) – PowerShell:
    • Executing the malicious shell script zx.ps1.
  • Persistence (T1547.001) – Registry Run Keys / Startup Folder:
    • Potentially using registry keys to maintain persistence on the infected system.
  • Command and Control (T1071) – Application Layer Protocol:
    • Sending system information to a Telegram account.
  • Exfiltration (T1041) – Exfiltration Over Command and Control Channel:
    • Exfiltrating data through the established command and control channel.

“`

Overview

A fake website seemingly distributing WinRar, a data compression, encryption, and archiving tool for Windows, has been seen also hosting malware. This fake website closely resembles the official website, uses typosquatting, and capitalizes on internet users who might incorrectly type the URL of this well-known archiving application. The initial malware then leads to a slew of malicious components hosted on GitHub, which include ransomware, cryptominer and infostealer.

Infection Cycle

The malicious website URL is win-rar.co, which is very close to the official website win-rar.com. Mistyping the URL and missing the “-m” in “.com” will lead an unsuspecting user to this fake website.

Figure 1: Fake website Win-rar.co mimicking the official Win-rar.com website.

This fake website has been seen to host a malicious shell script named zx.ps1.

Figure 2: Shell script zx.ps1 hosted on the fake WinRar website

This initial file leads to downloading more malicious files hosted on GitHub. Upon visiting the main GitHub project page “encrypthub,” we found what we can presume are all the component files to be used for this malware attack.

Figure 3: Main malware project page hosted on GitHub

Notice that all of these files have just been recently uploaded last week. Each directory contains malware files used for the following purposes:

  • Exclusions – Windows Defender exclusion
  • HVNC – to install a VNC Server with ngrok
  • Locker – ransomware
  • Miner – cryptominer
  • Stealer – Kematian Stealer, a known information stealer trojan that has been seen actively distributed on GitHub
  • Tgreport – sending Telegram message
  • Worm – inject shellcode into PE files
  • Zakrep – initial script that ties these all together
  • Shellcode.ps1 – a copy of the zx.ps1 on win-rar.co

Interestingly, all the shell scripts on this project page start with the malware sending a message to a Telegram account with the system’s computer name, username, and geolocation.

Figure 4: All ps1 files begin with the shell script of sending a Telegram message

At the time of analysis, we have not observed all components seen on GitHub from this project page being used in one attack. However, this certainly demonstrates how cybercriminals have multiple tools under their belts that can be used in multi-staged malware attacks.

As always, we urge our users to only use official and reputable websites as their source of software downloads. Always be vigilant and cautious when installing software programs, particularly if you are not certain of the source.

SonicWall Protections

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Malagent.ZXPS(Trojan)

This threat is also detected by SonicWall Capture ATP with RTDMI™ and Capture Client endpoint solutions.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.

Source: Original Post

Tags: TOOL, TROJAN, WINDOWS, EXFILTRATION, PERSISTENCE, WORM, INITIAL ACCESS